Eugene Kaspersky on how to protect industry in the IoT age

The cyber immunologist

On his first visit to Lebanon, Russian cybersecurity magnate Eugene Kaspersky divided his time between discussions with ministries, long-time banking clients, and visits to the country’s famed archeological sites. In between, he took time to sit down with a few media entities. In an interview that was arranged as a joint meeting of Kaspersky with Arabic-language business magazine Al Iktissad Wal Amal(AIWA) and Executive, he answered Executive’s questions about the next big threats in cyberspace and the company’s interaction with the Lebanese market.

Responding to a question from AIWA at the onset of the interview, Kaspersky explains that he was pleased to meet ministry officials in Lebanon who understand the importance of cybersecurity, and agree on the need to advance cybersecurity and related education, not only in areas of traditional computer systems and smartphones, but also in the realms of industries, the internet of things (IoT), infrastructure, and physical systems. He notes that the industrial and transportation sectors and infrastructure such as seaports all face different cyber threats, and that security needs to be adapted to their differing needs.

E Is this area of infrastructure where you see the biggest threats playing out in the next few years?

Yes. There are many attacks against smartphones and traditional computer systems from different kinds of hackers and cyber criminals, and unfortunately some of them are very professional as to be able to rob banks and protected enterprises, but we have technologies and solutions which can recognize the attacks and investigate what is going on in your network. It is not just protection from massive attacks but also detection of sophisticated cyber hacking tools. But in the industrial sector, it is very hard to create cybersecurity. Industrial systems are in a situation where, in many cases, they cannot upgrade the software because it is [used in an uninterrupted industrial] process. The software then can only be updated when the machines in question, the generators or turbines, are stopped for technical maintenance. Many systems differ from each other and updating these systems takes time and resources. This is a problem. Also, we see that many of these unfortunately are vulnerable, so cybersecurity in the industrial sector, transportation, and critical infrastructure is now most important.

Answering AIWA’s next question, Kaspersky says he met ministers May Chidiac and Raya Hassan and confirms a high level of awareness of cybersecurity and technical knowledge at the ministries. He adds that he met with a leading bank and is engaged in discussing future technologies with his Lebanese contacts. He explains that his company is working on new products and technologies that will assist organizations in recognizing if processes are not performing as they should. “It is not just about cybersecurity. We have a machine learning anomaly detection system which is new,” he says. Elaborating that other providers offer such anomaly detection services for machine learning in big data environments, he adds that they do so as providers of mathematical instruments but not in cybersecurity context. Such tools work for the collection of big data, for example, in the operation of airplanes, where computers can be used to predict technical problems. “This is based on the fact that there is so much data and [anomaly indications] in little things which humans will never recognize but computers can see, so that we can build the algorithm to recognize the problem, and we can do this for non-cybersecurity [uses],” he says.

“We have to protect a power plant [by raising the cost of hacking it to such a level] that it is less expensive to send a cruise missile to destroy it.”

E Does the inverse case also apply that there are problems that the algorithm cannot detect but the human can?

It works in both ways. We highlight a possible problem that the computer can see but does not understand; so the human is there to understand the problem that is highlighted by the computer. We call it a ‘humachine,’ not a human machine and are working on a system that can recognize, for example, financial fraud, which is not cyber. We are also working on and investing a lot into an immunity platform. The definition of immunity [in cybersecurity] is that for the system to be immune, a hacker attack must be more expensive than the [cost incurred] by the possible damage. It is like in cryptology where the breaking of the code must be more expensive than the value of the information. Hackers try to estimate or calculate how much money it costs to hack a system. Hacking random individuals is of course very simple—one just runs an attack on a million targets, and if 1,000 of them [fall for the attack] you have these 1,000. It is easy. To hack particular individuals is more complicated and requires learning about the target individual. To hack an enterprise is possible but is even more complicated, and it is getting more and more expensive. We are therefore working on a technology where we can estimate the cost of an attack for hackers. This system is based on a new operating system that is not Linux, Unix, or Microsoft.

E Proprietary?

Yes, it is entirely new, in-house, and made from scratch. The main difference [with this operating system] is that we split the system into micro-modules and each module has its permissions. In short, if you are a calculator [within this system], you do not have access to the internet. A calculator will have access only to the keyboard and the screen. If you are a turbine, you do not have access to the keyboard or the screen, or the internet. Permissions are very strict for the turbine. Thus, if the calculator is hacked, it cannot [be used to] manage the turbine. Unlike other systems where there is a lot of freedom, this system will have very limited permissions. If you don’t have permissions to do specific things, don’t ask. To hack this system can only be done in one way: hacking the developers and injecting something into the source code or adding something in their compilation. So you have to hack the enterprise that develops the software. So how to make it more expensive to hack [this system]? If it is an expensive turbine, then you take the [software] modules when they are tested and ready for deployment to a clean room and check the source code and machine code. There are tools for this task, so it is not too complicated. So the turbine, it becomes too expensive to hack, especially if you have something like five different clean rooms in the city used for the tasks. Then you can ask hackers how much it costs to hack six different locations at the same time and develop an attack that will inject their code into the compiling environment? [You can further ask them how much it will cost] to create stealth technology to make their code invisible in the clean rooms, also keeping in mind that these clean rooms will be very well protected, and thus there will be a very high risk [for the hackers] to be recognized, investigated, and arrested. In short, when I explain it to my people, I say we have to protect a power plant [by raising the cost of hacking it to such a level] that it is less expensive to send a cruise missile to destroy it.

E Would it be possible to engineer vectors for an intrusion from another IoT connected machine into a power plant or connected machine?

With our system, no.

E So you are saying IoT with Kaspersky will be safe?

Absolutely. Unhackable. Immune.

E Relatively speaking?

Security and immunity are like a nightclub. In a nightclub, security is outside watching over the doors and seeing who is coming, and on the inside watching the behavior of the visitors. Immunity means that the nightclub is made from iron so that visitors can’t destroy it; no need for security. So we have this immunity [development project] for the Internet of Things and for industrial immunity. It is ready, and we are collaborating with our partners, since we don’t do hardware. Our partners have already developed the network equipment, [such as] switches, routers, security cameras, and other devices. They installed their prototypes in a smart district project in Moscow and collected big data from the district to do whatever they wanted. The sensors are also based on our operating system. It is ready for the Internet of Things, and we are working on this system to promote it for the physical infrastructure.

E In a previous interview, you mentioned a dichotomy between developed and developing economies, whereby the prizes that hackers can take home from a developed economy are much more lucrative but also much better protected, whereas in a developing economy you have much lower protective barriers but also much less value of the hackers’ loot.

This is true, and I think that Lebanon is in a good situation. You can learn from the mistakes of others, see what is wrong there and build your [cybersecurity] systems in the right way. It is like with [large commercial] airports where the worst in the world are in the United States, and the best are in the Middle East and Asia. Why? Because the Americans were the first to build [these airports]. In Asia and the Middle East, Dubai and Abu Dhabi, they just learned and introduced new standards [for airport construction]. There are benefits for being first and there is profit from being first, but the others can learn from the mistakes [made by those who were first].

Kaspersky reconfirms in response to an AIWA question that the company is not starting to do business in Lebanon but has had contracts in the financial sector already for many years. He emphasizes that the company is thinking about improving its business in Lebanon and introducing its new technologies.

E How many Middle Eastern countries are you engaged in business with the public or private sectors, and how does Lebanon rank in terms of contribution to your business when compared with the region’s bigger tech consumer countries?

We are present in all countries of the region. We have an office in Dubai, and for [distribution of] our traditional products we work with partners. So we have partners everywhere. For our services, which we provide, we don’t need [resale] partners, and we sometimes have direct contracts. In the region we are doing very well, we have double-digit growth—(laughs) less than 20 percent year-on-year. We have very good results in the region, in Lebanon less than in some other richer economies, but I would say that our market presence here is bigger than in some other countries. What I see is that we have very good opportunities in Lebanon, and we will do our best to prove that we are the right partner to work with, not only in cybersecurity products and business, but also in education. Education [of cybersecurity engineers] is very important. There is high demand for such people, and they are typically very well paid.

E Are you intending to invest in cybersecurity education in Middle East markets?

I don’t want to say this is an investment. It is not money. It is providing our knowledge. We are collaborating with startups and companies [for education]. We are not doing that in Lebanon at the moment, but can do so.

E When we talk about a country like Lebanon, where the cybersecurity framework on a national level has not been very strong in the past and is not yet highly developed today, what in your experience is the better course of awareness creation and cybersecurity development: talking to the government, or talking to the totality of private sector enterprises about cybersecurity, noting that 70 or more percent of cybersecurity installations in this market appear to be located at banks?

Unfortunately, Homo sapiens are still the same. These creatures learn from their mistakes. Before they are affected by problems, even if they heard about them, they go, ‘Yeah, I know, but that is a different village.’ Why is the banking sector so aware? Because they have been under attack for decades. As the damage has been big enough, they learned a lot from this. Security and cybersecurity are a top priority for all banks, as banks are heading now into cyberspace. At the same time, [non-financial] industries, even if they heard about the problems, they only learn from real cases. (Citing his experience from the 2012 World Economic Forum, Kaspersky adds that at the time the oil and gas executives were much more aware of cybersecurity issues than transport sector leaders.) People learn from incidents, but I think in the past five years this has changed. The number of incidents was intense enough so that they understood that a cyber-attack can happen to everyone.

E Are there any total blind spots where industries today are totally oblivious to cyber threats?

Not anymore. There are no exceptions. One minor exception: [corporations] understand the risks of computers, smartphones, SCADA [supervisory control and data acquisition], and critical infrastructure. What they do not realize is that all the systems are hyper-connected, and that sometimes the connections are unpredictable. There are so many different technologies in the cyber-network which connect critical infrastructure to the rest of the world. They don’t realize this [and] are still thinking cables and wifi, but there are now many technologies coming up that are different.

In response to AIWA’s question if the ban of Kaspersky products by the US affected the company’s business in the Middle East, the magnate explains that the ban did not affect business in Canada and Mexico and had limited impact in the US, with a 25 percent market loss, applied only to government sector entities because no allegation against his company was proven. “We still have consumer business in the US and digital online and partners in the US for [doing business with] SMEs. In November we will host a conference for North American partners in Cancun [Mexico],” he says.

E Do people in the Middle East like you more because the US does not like you?

I do not really want to comment on that. (Winks) What do you say? We lost some of our partners and some of our customers, but it was compensated by new and larger attention from others—this even more so as we opened a transparency center and made our technologies available for inspection. So if you have any questions, please look.

“There are so many different technologies in the cyber-network which connect critical infrastructure to the rest of the world.”

E Can you provide us with some annual result figures?

We publish all results in March. (A February 2019 press release by Kaspersky Lab says the company had stable growth in 2018 and achieved 4 percent year-on-year unaudited revenue growth to $726 million.)

E So all the numbers for 2018 are out. Do the numbers for 2019 point in the same direction?

Yes. Unfortunately, we do not demonstrate double-digit growth in all regions. (According to the company’s website, the strongest growth in 2018 was realized in the Middle East, Turkey, and Africa region, at 27 percent.)

E It seems that you are passionate about cybersecurity and about travel and visiting special geographies and historic places. Do you have another passion that ranks with these?

From time to time I do some of this. (Kaspersky gets up from his chair and fetches two Rubik cube derivatives of six and nine rows that feature smileys when solved). I like this. I don’t want to say this is my passion, but I can assemble it easily and [align] the pictures on the cube. I am passionate about my work, travel, [and] family when I am at home. What is my passion? My passion is to solve the problem of cybersecurity, [and] to build a safe world. To make the world immune, so that you don’t need anti-virus.

E As you mentioned Homo sapiens still being the same, you are certainly very aware of the speculations about AI, the singularity, transhumanism, and the future development of mankind. So if you look today forward to 2030, first on a personal level, do you think you will be retiring at age 65?

I don’t know. Most probably not, because there will still be a lot of work to do with immunity. I will retire when I am convinced that the immunity systems [are on their way]. To make all infrastructure in the world immune will take long, long years. But when I see that the world is moving in the right direction—I don’t want to say with our technologies, I am pretty sure there will be competitors—I will retire.

E And how do you see the world around you in 2030? Will we have cyborgs, will we have a singularity as some assume where the speed of computing intelligence will surpass human intelligence in ways that cannot be reversed? Will we see a total AI takeover?

It is very hard to predict what happens 10 years from now. For example, who could predict in 2009 that Bitcoins and Blockchain would develop in [such a volatile way]? As I am investing into cybersecurity and cyber-immunity, I have [set] targets for my guys for the next three years, such as a target that one gigawatt of electricity must be produced or transported with our technologies. I told my cyber immunity guys that we must have real working systems based on a cyber immunity platform, not just in the Internet of Things, but also in critical infrastructures.

E The well-known science fiction writer and compatriot by Polish ancestry Stanislaw Lem wrote over 40 years ago about a computer AI that is so becoming so advanced in the 2030s that it does not share any common interest and base for communication with humanity. Do you think that could happen?

It is not our problem. Artificial Intelligence is [countless] years away. What they call artificial intelligence today is not intelligence at all. It is less intelligent than a mosquito. A mosquito has motivation. Algorithms don’t have motivation. It is just a technology. One example I use is those machine learning systems that can recognize human faces. But can they recognize the face of a horse? They are not working in unpredictable conditions. It is not intelligence. We are hundreds of years away from artificial intelligence. The speed of technology development is not good enough to create such a complicated system [like the human brain] in a reasonable size, like the size of a building. I think that we are still far away from real artificial intelligence.

“What they call artificial intelligence today is not intelligence at all. It is less intelligent than a mosquito.”

At the same time, I think that it is the end of the biological evolution of Homo sapiens. Evolution is different branches that lead to different places. Before Homo sapiens, there were other [archaic humans] like Homo erectus, Homo denisova, and Homo floresiensis in Indonesia. They were different. Then Homo sapiens came, killed everyone else and populated the earth. There are still different [ethnicities] like European and African. But now the world is global. My wife is Chinese. The world is becoming mixed and slowly will become the same nation with very close mixing of genes. So this is the end of Homo sapiens’ evolution. But I think the next step [in this evolution] is in using technologies as parts of us. How many people have an artificial heart? Many. And the technologies are getting better and better, so people use more and more. Perhaps there will be additions to the brain, perhaps to see more colors. We are now speaking about science fiction. However, Stanislaw Lem is always on my computer where I have the movie Solaris—but the Tarkovsky [version], not the new one.

E Do you believe there could be a digital afterlife, people’s minds being uploaded to quantum computers?

There are many such [imaginations] like the Black Mirror series. I think that sooner or later, if we do not disappear like the dinosaurs, the technologies will be good enough for this kind of task. But I say once again, the modern technologies and the speed of technology development is not fast enough to see that in the next 100 years.

To a question by AIWA about the magnate’s expectation for risks, challenges, and solutions in cybersecurity in the next three or four years, Kaspersky answers that he is no expert in geopolitical issues but does not like what he sees happening in this realm because the world is getting less stable. “Speaking about cybersecurity, I am afraid that in the next three to five years we will see a rising number of attacks on infrastructure,” he adds.

E State-sponsored or criminal?

Both, because there are so many mercenary hackers available. Thus, I am afraid of non-state sponsored attacks. This is the worst-case scenario, and it scares me a lot.

E And you say the immunity concept is to make the hacking attack more expensive than the hacking reward…

Exactly.

E …but in attacks sponsored by non-state actors the financial reward might not be part of the equation when the aim of an attack might be total destruction for destruction’s sake, with a cost that is not financially computable in relation to the sought reward?

If for causing such damage they have to invest such a huge amount of money that the cost of causing the damage is greater than the cost of the damage, they will damage themselves. The attacks of top profile hackers cannot be [driven by emotions]. They cannot be emotional, because it takes time [to develop such attacks], so the emotions disappear. Highest-profile, damaging hacking attacks on immune infrastructure will take a long time, and a huge investment.

“I am afraid of criminals, terrorists, and any kind of attack from people that have the motivation and the resources [to launch devastating cyber-attacks].”

(Upon an AIWA question about military cyber-attacks) I am afraid of military attacks with cyber weapons, but what I am really afraid of is non-state sponsored attacks because states do not just want to destroy others when they attack. They also want to protect their own infrastructures, which are vulnerable as well. Cyber weapons are a kind of boomerang. If it is proven that some nation sends a cyber weapon against someone else, [the attacked state] can employ hackers to send [the cyber attack weapon] back.

E So we would have the same balance of mutually assured destruction as existed between the Soviet Union and the West in the Cold War days?

And in cyberspace it is more complicated, because the old balance was based on traditional weapons. Cyber is different. In cyber, you can copy-paste. If a nation has enhanced cruise missiles, not every other nation can copy-paste these cruise missiles. In cyber? (Harrumphs) This is much less complicated [to reverse engineer a cyber weapon]. I am afraid of criminals, terrorists, and any kind of attack from people that have the motivation and the resources [to launch devastating cyber-attacks]. This is the worst-case scenario. I think states will keep the balance and find other ways [to have their conflicts], because cyber-attacks are very dangerous and cyber weapons are boomerangs and there could be collateral damage.